Entities allowed before slashes on a protocol relative URL
⚠ Browser differences
1
1
1
4You can place whitespace before slashes, this vector finds out what entities you can place before them.
Created byhackvertor
Created Jul 6, 2024
Updated May 27, 2025
Detecting browser...
CategoryEntity Parsing
VisibilityPublic
TypeJS
CharsetUTF-8
$[data1] placeholderhtml_entities
Code used before fuzz:
const div = document.createElement('div')Template used:
div.innerHTML='<a href="$[data1]//example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
log('$[data1]');0x0D
}Sample payloads
div.innerHTML='<a href="NO_MATCHES//example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
alert('NO_MATCHES');0x0D
}div.innerHTML='<a href="\//example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
alert('\');0x0D
}div.innerHTML='<a href="
//example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
alert('
');0x0D
}div.innerHTML='<a href="///example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
alert('/');0x0D
}div.innerHTML='<a href="	//example.com">';0x0D
if(div.querySelector('a').host === 'example.com') {0x0D
alert('	');0x0D
}Fuzz results
Chrome 144.0.0.0 mobile Android 10
Updated
Sat Jan 31 2026
Found 1 result
Loading...
Chrome 130.0.0.0 desktop macOS 10.15.7older version
Updated
Mon Oct 28 2024
Found 4 results
Loading...
Firefox 147.0 desktop Linux
Updated
Sun Feb 01 2026
Found 1 result
Loading...
Firefox 127.0 desktop macOS 10.15older version
Updated
Sat Jul 06 2024
Found 4 results
Loading...
Microsoft Edge 144.0.0.0 desktop Windows NT 10.0
Updated
Sat Jan 31 2026
Found 1 result
Loading...
Safari 17.5 mobile iOS 17.5.1
Updated
Sat Jul 06 2024
Found 4 results
Loading...